Page MenuHomePhabricator
Create Task
Maniphest T318854

Application Security Review Request : d3.js
Closed, ResolvedPublic
Actions

Description

Project Information

Description of the tool/project:

d3 is a tool for building data-driven documents. It allows to create almost infinite data visualizations.

Description of how the tool will be used at WMF:

It will help visualize the pageviews trends for edited articles in the newcomers user impact module. Ideally this module will be available for all users, not just in the newcomers homepage.

Dependencies
It relies on its own d3-* packages. Most seem self-contained but haven't scanned them all (https://github.com/d3/d3/blob/main/package.json)

Has this project been reviewed before?
Maybe since it's used in Graph extension but I could not find a formal report.

Working test environment
Here's a codepen

Post-deployment
The Growth Team will be responsible for this library:

Tech lead: @kostajh
Software engineers: @Tgr @Sgs

d3 modules being used:

Custom d3 build from the above packages (minified): https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/GrowthExperiments/+/refs/heads/master/modules/lib/d3/d3.min.js

Details

Risk Rating
Low
SubjectRepoBranchLines +/-
Revert "NewImpact: Remove d3 feature-flag"mediawiki/extensions/GrowthExperimentsmaster+62 -7
[no-op] GrowthExperiments: Enable D3 in productionoperations/mediawiki-configmaster+4 -3
NewImpact: Remove d3 feature-flagmediawiki/extensions/GrowthExperimentsmaster+7 -62
NewImpact: unskip NewImpact vue testmediawiki/extensions/GrowthExperimentsmaster+2 -3
[labs] GrowthExperiments: Use d3.js with new impact moduleoperations/mediawiki-configmaster+3 -0
Customize query in gerrit

Related Objects

Event Timeline

Sgs created this task.Sep 28 2022, 6:41 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 28 2022, 6:41 PM
Sgs renamed this task from Application Security Review Request : ... to Application Security Review Request : d3.js.Sep 28 2022, 6:42 PM
Sgs updated the task description. (Show Details)
Sgs removed subscribers: Catrope, egardner, AnneT.
Sgs updated the task description. (Show Details)Sep 28 2022, 6:48 PM
Sgs updated the task description. (Show Details)Sep 28 2022, 7:06 PM
Sgs added subscribers: kostajh, Tgr.
sbassett subscribed.EditedSep 29 2022, 10:03 PM

Hey @Sgs -

Thanks for the request. We can probably accommodate this review this quarter (which begins next Monday) though not on the timeline you've stated (2 - 3 weeks after a beta deployment). Per our SOP, we schedule application security reviews at the beginning of each quarter to complete during a given quarter. We do not block on beta deployments but would ask that a manager/director accept at least a medium risk for the beta deployment prior to the completion of an application security review.

sbassett moved this task from Incoming to Back Orders on the secscrum board.Sep 30 2022, 4:50 PM
sbassett claimed this task.Oct 5 2022, 4:08 PM
sbassett moved this task from Back Orders to In Progress on the secscrum board.
Sgs added a subscriber: DMburugu.Oct 10 2022, 6:14 PM
In T318854#8274199, @sbassett wrote:

Hey @Sgs -

Thanks for the request. We can probably accommodate this review this quarter (which begins next Monday) though not on the timeline you've stated (2 - 3 weeks after a beta deployment). Per our SOP, we schedule application security reviews at the beginning of each quarter to complete during a given quarter. We do not block on beta deployments but would ask that a manager/director accept at least a medium risk for the beta deployment prior to the completion of an application security review.

Alright, thanks for the anwser. cc'ing @DMburugu @kostajh

Sgs mentioned this in T220141: Impact Module: "sparkline" style graph that shows pageviews over time.Oct 10 2022, 6:16 PM
kostajh added a comment.Oct 10 2022, 8:36 PM
In T318854#8274199, @sbassett wrote:

Hey @Sgs -

Thanks for the request. We can probably accommodate this review this quarter (which begins next Monday) though not on the timeline you've stated (2 - 3 weeks after a beta deployment). Per our SOP, we schedule application security reviews at the beginning of each quarter to complete during a given quarter. We do not block on beta deployments but would ask that a manager/director accept at least a medium risk for the beta deployment prior to the completion of an application security review.

@sbassett thanks for your comment. Given that d3.js is already in production with Graph (and has been since 2016), is it acceptable to the security team for us to ship code which uses d3 in production, and not just in beta, assuming that @DMburugu can sign off on this from a risk perspective?

sbassett reassigned this task from sbassett to Reedy.Oct 11 2022, 8:40 PM
sbassett added a subscriber: Reedy.

@kostajh - Ok, good to know, thanks. @Reedy is going to have a look at this review this quarter.

DMburugu added a comment.EditedOct 17 2022, 12:57 PM

@sbassett I'm okay with a medium risk assessment on beta deployments using this library, given that we want the feature to go live in the next weeks.

Sgs added a comment.Oct 17 2022, 1:36 PM

@Reedy We're trying to restrict d3 to beta cluster with some kind of toggling, so far only hiding the UI (gerrit 836842). Do you have any suggestion on how to do this so we don't load d3.js in production?

kostajh added a comment.Oct 17 2022, 1:55 PM
In T318854#8321165, @Sgs wrote:

@Reedy We're trying to restrict d3 to beta cluster with some kind of toggling, so far only hiding the UI (gerrit 836842). Do you have any suggestion on how to do this so we don't load d3.js in production?

AIUI, since d3.js is already in production with the Graph extension, then loading itself as part of ResourceLoader should not be problematic. What we could do is avoid calling methods on the library in our code, using some feature flagging, until security review is finished.

sbassett added a comment.Oct 17 2022, 3:53 PM
In T318854#8321253, @kostajh wrote:

AIUI, since d3.js is already in production with the Graph extension, then loading itself as part of ResourceLoader should not be problematic. What we could do is avoid calling methods on the library in our code, using some feature flagging, until security review is finished.

Yes and no. I'm not seeing any recent, formal security review for d3js, so we'd certainly need to perform some kind of review, especially if we're looking at d3js's main branch, as this request seems to possibly imply? That being said, we can't perform a line-by-line audit of d3js - that just isn't feasible for our team. So what would likely be performed is a vendor review with some additional layers of high-level pentesting and similar assessments. Some recent examples of these types of reviews can be found at T288768#7551991 and T262963#6668136.

DMburugu added a comment.Oct 17 2022, 4:53 PM

Yes and no. I'm not seeing any recent, formal security review for d3js, so we'd certainly need to perform some kind of review, especially if we're looking at d3js's main branch, as this request seems to possibly imply? That being said, we can't perform a line-by-line audit of d3js - that just isn't feasible for our team. So what would likely be performed is a vendor review with some additional layers of high-level pentesting and similar assessments. Some recent examples of these types of reviews can be found at T288768#7551991 and T262963#6668136.

@sbassett Would it be possible to know where we are in the review Queue given the discovery that there was no formal security review for d3js ? We'd like to launch this in the next couple of weeks(before Mid December) and want to pace our expectations.

sbassett added a comment.Oct 17 2022, 9:02 PM
In T318854#8322187, @DMburugu wrote:

@sbassett Would it be possible to know where we are in the review Queue given the discovery that there was no formal security review for d3js ? We'd like to launch this in the next couple of weeks(before Mid December) and want to pace our expectations.

This review has been assigned to @Reedy to complete this quarter. If you would like to launch this sooner than the review is completed, a high risk can be accepted and added our risk register. Per our current risk management framework, a high risk can be accepted by a c-level.

KStoller-WMF subscribed.Oct 21 2022, 6:52 PM
gerritbot added a comment.Oct 27 2022, 11:10 AM

Change 850098 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[operations/mediawiki-config@master] [labs] GrowthExperiments: Use d3.js with new impact module

https://gerrit.wikimedia.org/r/850098

gerritbot added a project: Patch-For-Review.Oct 27 2022, 11:10 AM
gerritbot added a comment.Oct 28 2022, 7:49 AM

Change 850098 merged by jenkins-bot:

[operations/mediawiki-config@master] [labs] GrowthExperiments: Use d3.js with new impact module

https://gerrit.wikimedia.org/r/850098

Maintenance_bot removed a project: Patch-For-Review.Oct 28 2022, 8:30 AM
kostajh mentioned this in T322202: NewImpact: Explore using Charts.css for sparkline.Nov 2 2022, 12:11 PM
DMburugu added a comment.Nov 7 2022, 6:09 PM

Hey @Reedy, is it possible to get an estimate on which week in the quarter the review will be done?

kostajh added a comment.EditedNov 10 2022, 12:31 PM
In T318854#8376406, @DMburugu wrote:

Hey @Reedy, is it possible to get an estimate on which week in the quarter the review will be done?

Note that T321215: Use d3 subpackages instead of the full bundle reworked our code to use a subset of d3 packages. It might be easier to review that patch which adds the relevant d3 packages to devDependencies in the GrowthExperiments package.json.

kostajh updated the task description. (Show Details)Nov 10 2022, 4:19 PM
sbassett added a comment.Nov 21 2022, 9:06 PM

Per Slack conversation with @DMburugu - I've added a medium risk to our application security risk register for the early (pre security review) production deployment of d3js this Monday, November 28th.

(though technically d3js is already within Wikimedia production for a separate use-case)

sbassett changed the task status from Open to In Progress.Nov 21 2022, 9:06 PM
sbassett triaged this task as Medium priority.
kostajh added a comment.Nov 25 2022, 9:53 AM
In T318854#8411246, @sbassett wrote:

Per Slack conversation with @DMburugu - I've added a medium risk to our application security risk register for the early (pre security review) production deployment of d3js this Monday, November 28th.

(though technically d3js is already within Wikimedia production for a separate use-case)

Thanks @sbassett. If I understand correctly, that means we are OK to go ahead with using d3.js in production as early as November 28th. (Realistically, it is more likely to be December 5 when we start putting this in front of users.)

gerritbot added a comment.Nov 25 2022, 10:01 AM

Change 860841 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/GrowthExperiments@master] NewImpact: Remove d3 feature-flag

https://gerrit.wikimedia.org/r/860841

gerritbot added a project: Patch-For-Review.Nov 25 2022, 10:01 AM
gerritbot added a comment.Nov 25 2022, 4:25 PM

Change 860918 had a related patch set uploaded (by Sergio Gimeno; author: Sergio Gimeno):

[mediawiki/extensions/GrowthExperiments@master] NewImpact: unskip NewImpact vue test

https://gerrit.wikimedia.org/r/860918

gerritbot added a comment.Nov 28 2022, 10:26 AM

Change 860918 abandoned by Kosta Harlan:

[mediawiki/extensions/GrowthExperiments@master] NewImpact: unskip NewImpact vue test

Reason:

Squashed, added Sergio as co-author on parent patch. Thanks!

https://gerrit.wikimedia.org/r/860918

gerritbot added a comment.Nov 28 2022, 10:46 AM

Change 860841 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] NewImpact: Remove d3 feature-flag

https://gerrit.wikimedia.org/r/860841

ReleaseTaggerBot added a project: MW-1.40-notes (1.40.0-wmf.12; 2022-11-28).Nov 28 2022, 11:01 AM
sbassett added a comment.Nov 28 2022, 6:57 PM
In T318854#8421099, @kostajh wrote:

Thanks @sbassett. If I understand correctly, that means we are OK to go ahead with using d3.js in production as early as November 28th. (Realistically, it is more likely to be December 5 when we start putting this in front of users.)

Yes, with the understanding that your team and @DMburugu own the medium risk for that deployment,

kostajh added a comment.Nov 28 2022, 7:36 PM
In T318854#8425799, @sbassett wrote:
In T318854#8421099, @kostajh wrote:

Thanks @sbassett. If I understand correctly, that means we are OK to go ahead with using d3.js in production as early as November 28th. (Realistically, it is more likely to be December 5 when we start putting this in front of users.)

Yes, with the understanding that your team and @DMburugu own the medium risk for that deployment,

Thanks. What does owning that risk mean, exactly?

Based on https://office.wikimedia.org/wiki/Security/Policy/Risk_Management, are we now supposed to create a risk treatment plan? (And if so, what should that contain -- are there examples?)

sbassett added a comment.Nov 28 2022, 8:47 PM
In T318854#8425952, @kostajh wrote:

Thanks. What does owning that risk mean, exactly?

In general, it means that the decision to put d3js into production in this fashion (prior to any security review) is a decision completely owned by your team and @DMburugu. Including any potential negative consequences.

Based on https://office.wikimedia.org/wiki/Security/Policy/Risk_Management, are we now supposed to create a risk treatment plan? (And if so, what should that contain -- are there examples?)

That's definitely the best practice - to create a risk mitigation plan. Though for situations like this that doesn't always make sense. Theoretically, the risk mitigation plan would be having a security review performed and mitigating any resultant risk prior to deployment. But given timelines and resource constraints that isn't really an option in this case, and so a default medium risk has been applied and accepted.

gerritbot added a comment.Nov 28 2022, 9:13 PM

Change 861466 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/GrowthExperiments@master] Revert "NewImpact: Remove d3 feature-flag"

https://gerrit.wikimedia.org/r/861466

gerritbot added a comment.Nov 29 2022, 2:16 AM

Change 861466 merged by jenkins-bot:

[mediawiki/extensions/GrowthExperiments@master] Revert "NewImpact: Remove d3 feature-flag"

https://gerrit.wikimedia.org/r/861466

ReleaseTaggerBot edited projects, added MW-1.40-notes (1.40.0-wmf.13; 2022-12-05); removed MW-1.40-notes (1.40.0-wmf.12; 2022-11-28).Nov 29 2022, 3:00 AM
gerritbot added a comment.Nov 29 2022, 4:15 AM

Change 861506 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[operations/mediawiki-config@master] [no-op] GrowthExperiments: Enable D3 in production

https://gerrit.wikimedia.org/r/861506

kostajh added a comment.Nov 29 2022, 2:05 PM
In T318854#8426250, @sbassett wrote:
In T318854#8425952, @kostajh wrote:

Thanks. What does owning that risk mean, exactly?

In general, it means that the decision to put d3js into production in this fashion (prior to any security review) is a decision completely owned by your team and @DMburugu. Including any potential negative consequences.

Based on https://office.wikimedia.org/wiki/Security/Policy/Risk_Management, are we now supposed to create a risk treatment plan? (And if so, what should that contain -- are there examples?)

That's definitely the best practice - to create a risk mitigation plan. Though for situations like this that doesn't always make sense. Theoretically, the risk mitigation plan would be having a security review performed and mitigating any resultant risk prior to deployment. But given timelines and resource constraints that isn't really an option in this case, and so a default medium risk has been applied and accepted.

We retained the code (T318854#8426821) that would allow us to turn of d3 integration with a config switch (set GENewImpactD3Enabled to false in InitialiseSettings.php), in case the security review comes up with something concerning.

We look forward to seeing the security review. Thanks!

gerritbot added a comment.Dec 1 2022, 2:29 PM

Change 861506 merged by jenkins-bot:

[operations/mediawiki-config@master] [no-op] GrowthExperiments: Enable D3 in production

https://gerrit.wikimedia.org/r/861506

Stashbot added a comment.Dec 1 2022, 2:30 PM

Mentioned in SAL (#wikimedia-operations) [2022-12-01T14:30:13Z] <kharlan@deploy1002> Started scap: Backport for [[gerrit:861506|[no-op] GrowthExperiments: Enable D3 in production (T318854)]]

Stashbot added a comment.Dec 1 2022, 2:31 PM

Mentioned in SAL (#wikimedia-operations) [2022-12-01T14:31:19Z] <kharlan@deploy1002> kharlan and tgr: Backport for [[gerrit:861506|[no-op] GrowthExperiments: Enable D3 in production (T318854)]] synced to the testservers: mwdebug1001.eqiad.wmnet, mwdebug2002.codfw.wmnet, mwdebug1002.eqiad.wmnet, mwdebug2001.codfw.wmnet

Stashbot added a comment.Dec 1 2022, 2:36 PM

Mentioned in SAL (#wikimedia-operations) [2022-12-01T14:36:17Z] <kharlan@deploy1002> Finished scap: Backport for [[gerrit:861506|[no-op] GrowthExperiments: Enable D3 in production (T318854)]] (duration: 06m 04s)

Reedy removed a project: Patch-For-Review.Dec 8 2022, 3:13 PM
Reedy updated the task description. (Show Details)Dec 8 2022, 3:51 PM
kostajh updated the task description. (Show Details)Dec 19 2022, 3:54 PM
sbassett added a comment.EditedJan 4 2023, 2:50 AM

Security Review Summary - T318854 - 2023-01-03

Overall, the current vendor code under consideration (specifically the sub components as defined here) appear to be in good shape per various security analyses performed below. These components of the d3js package can be considered to have an overall risk rating of low.

General Security Information

Statistic/InfoValueRisk
Repositoryhttps://github.com/d3/d3 none
Relevant tag/branchv7.8.0 per c855001 none
Last commit reviewed (if relevant)73ed925d12 none
Recent contributions to code (6 months)6 low risk
Active developers with > 10 commits10 low risk
Current overall usagehigh low risk
Current open security issues0 none
Methods for reporting security issuesnone medium risk

Vulnerable Packages
none

Outdated Packages
As reported via npm outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

PackageCurrentWantedLatest
eslint8.30.08.31.08.31.0
rollup3.7.53.9.13.9.1

Scorecard score
4.2 / 10 medium risk
(see raw output: P42747)

Potential HTTP and protocol Leaks
none

Static Analysis Findings

  1. lockfile-lint returned no results. low risk
  2. gitleaks returned no results. low risk
  3. whispers returned no results. low risk
  4. scan scan:latest returned no results. low risk
  5. semgrep 1.2.1 was run with several popular and custom policies and rule-sets. Some lightly-curated results are found within P42748. All of these appear to be "potential" ReDoS issues, but none appear to be legitimate vulnerabilities. low risk
sbassett closed this task as Resolved.Jan 4 2023, 2:51 AM
sbassett claimed this task.
sbassett moved this task from In Progress to Our Part Is Done on the secscrum board.
gerritbot added a comment.Jan 9 2023, 4:50 PM

Change 877206 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/extensions/GrowthExperiments@master] NewImpact: Remove d3 feature-flag

https://gerrit.wikimedia.org/r/877206

gerritbot added a project: Patch-For-Review.Jan 9 2023, 4:50 PM
ReleaseTaggerBot edited projects, added MW-1.40-notes (1.40.0-wmf.18; 2023-01-09); removed MW-1.40-notes (1.40.0-wmf.13; 2022-12-05).Jan 9 2023, 7:00 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits